What to expect now that Internet providers can collect and sell your Web browser history

After Congress handed President Trump legislation Tuesday that would wipe away landmark privacy protections for Internet users, we received a lot of reader questions about what happens next. The legislation makes it easier for Internet providers, such as AT&T and Verizon, to collect and sell information such as your Web browsing history and app usage. But let's get into the details: You wanted to know whether the measure could help the government dig up dirt on people. You asked how to protect your privacy. And some of you even asked if it would be possible to buy up the online browsing histories of Trump or members of Congress.

To find out, I spoke to a number of privacy and security experts who have been following these issues closely in the public and the private sectors.

Catch me up real quick. What did Congress vote on?

Congress voted to keep a set of Internet privacy protections approved in October from taking effect later this year. The rules would have banned Internet providers from collecting, storing, sharing and selling certain types of personal information — such as browsing histories, app usage data, location information and more — without your consent. Trump must still sign the legislation, but he is widely expected to do so. For more, read our full story here.

Without these rules, could I really go to an Internet provider and buy a person's browsing history?

The short answer is “in theory, but probably not in reality.”

Many Internet service providers (ISPs) have privacy policies that may cover this type of information. If an ISP shares or sells an individual's personal information in violation of its own privacy policy, a state attorney general could take the company to court, said Travis LeBlanc, a former enforcement bureau chief at the Federal Communications Commission. State attorneys general could also sue ISPs whose data practices could be construed as“unfair” to other businesses. Meanwhile, the chairman of the Federal Communications Commission has said what's left of his agency's privacy authority still allows him to bring lawsuits against companies — he just won't be able to write rules that look similar to what Congress rejected this week.

That said, if the providers relax their privacy policies or if the FCC chooses not to take action, ISPs could conceivably share detailed information about a person's Web usage that could be used to discover his or her identity.

“You may recall Verizon's supercookie program where they were tracking quite a bit,” LeBlanc said. “And there were allegations they could share unique data sets. It may not have said 'Travis LeBlanc,' but it would have been substantial data points about me.”

Based on how companies use and share data today, it's still relatively unlikely that an ISP would simply hand over data for cash, particularly about an individual, said Chris Calabrese, policy vice president at the Center for Democracy and Technology.

What generally happens in this industry is that a marketer will ask a company such as Facebook to advertise with a certain demographic — say, men between the ages of 45 and 55. The two companies will settle on a deal, and the marketer's ads will be displayed on Facebook to that group, but the marketing company will never see specific information about those people, which will continue to be held by the data company (or in this case, the ISP).

“That's the most likely way you'll have your Web surfing history sold,” said Calabrese — which means getting the raw data on, say, President Trump could be harder than you think. For that matter, other legal analysts said, it's not clear why Internet providers would comply with consumer requests for data on the politicians that helped ease industry regulations in the first place.

A spokesman for the cable industry said that many Internet providers have committed to a voluntary set of privacy principles that already limit the industry's ability to share or sell the data of individuals.

"ISPs haven’t done this to date and don’t plan to because they respect the privacy of their customers," said Brian Dietz, a spokesman for NCTA — The Internet & Television Association. "Regardless of the legal status of the FCC’s broadband privacy rules, we remain committed to protecting our customers’ privacy and safeguarding their information because we value their trust."

How can I protect myself now?

If you're looking for ways to enhance your privacy in an era of loosened regulation, security experts generally recommend several steps.

First, use a virtual private network, or VPN. For a little bit of money, the best VPNs can hide your true location so that it looks like you're surfing the Web as somebody else, and encrypt your Internet traffic so that nobody outside of the VPN can tell what you're looking at. Other tools, such as Tor, mask your identity by sending your Internet traffic bouncing through a whole bunch of other intermediary servers before arriving at its destination. Think of it as the online equivalent of losing a tail in a spy movie. These services are not cure-alls: They may cause your browsing speeds to drop, and some websites block VPNs altogether. That includes Netflix, which does this to defeat people who want to watch videos illegally. Finally, they don't thwart any snooping software that an Internet provider may have installed on your own device, logging your activity locally.

Second, make sure that the websites you use take advantage of HTTPS. You can think of HTTPS as a more secure version of the normal websites you visit; your overall experience won't change, and Internet providers will still be able to see that you're on a particular site, but they will see less about what you're doing there. Try forcing your browser to use the HTTPS version of a site if there is one. Chrome users, for example, can do this by installing this extension from the Electronic Frontier Foundation.

What does the legislation mean for the government's ability to spy on me?

The measure doesn't give the government any more powers to gather information on people than it already had, although with ISPs getting into the data-mining business, LeBlanc said, that's another place government officials could theoretically go to find information about people of interest.

“I don't see any prohibitions on government as a market actor bidding for your personal data,” he said. LeBlanc added that even foreign governments could conceivably buy data from ISPs to find out about people they're interested in.

There is some precedent for this. In fact, in 2013 the New York Times reported that the CIA had paid AT&T for records relating to its customers' phone calls.

But gathering information this way may be less efficient than certain tried-and-true methods, Calabrese said.

“If the FBI wants information from AT&T, they're going to get it the way they always have,” he said, “which is to send them a subpoena or a warrant.”

That's not to say law enforcement officials don't or won't find consumers' Internet data useful. What's likely to happen, Calabrese added, is that the new information ISPs collect on their users may find their way into databases that government officials are already mining. And that's how the government could indirectly gain even more information about you.

Comments

Brian FungBrian Fung covers business and technology for The Washington Post. Before joining The Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic. Follow